For years, Google managed to avoid major security slip-ups, having nurtured the reputation of a tech giant that does a relatively decent job at keeping your data safe, even though the only reason it has to do so is that it harvests and devours every single little piece of information about your digital life that it can in order to fuel its advertising empire.
Well, that illusion started dispersing some time ago; first, with the revelation of the Google+ vulnerability that potentially compromised millions, having eventually marked the official end of the failed social media network. Then, with the fact Google is all too happy to look for a reason to override manually set privacy controls on Android devices. Another similar story now came to light, having been disclosed by Google itself.
As it turns out, some G Suite users had a number of their passwords stored in plaintext due to what Google labeled an "issue" but would probably be more accurately described as an "amateur-level oversight." Worst of all, the newly reported vulnerability has been affecting select passwords managed by Alphabet's subsidiary since – 2005.
Google is quick to point out the problem only potentially compromised business accounts, i.e. those managed as part of the G Suite network, as if letting down its paying customers somehow makes things better. The company started notifying potentially compromised users several days back and is currently working with their system administrators in order to ensure they all change their passwords that might have been accessed at some point in the last 14 years.
For what it's worth, Google found no evidence of third parties being aware of the vulnerability and taking advantage of it in the past, yet it's not like it keeps super detailed server access logs dating back a decade and a half. Furthermore, even the plaintext passwords were still being stored within its overall G Suite infrastructure that has a layer of encryption on its own, so it's not like someone could have just stumbled upon sensitive data without finding a way past those cryptographically secured protocols, which in itself isn't likely.
Yet the fact that redundancy saved the day in this instance doesn't exactly inspire confidence in the core of Google's operations being secure, i.e. developed with such protections in mind. If the situation wasn't serious, Google would not be forcing users into doing a password reset, i.e. remotely reseting the passwords of those who ignore the warnings it's now sending out, which is what it already confirmed was the short-term plan.
Again, the situation is all the more bizarre given the fact that in spite of all of Google's recent slip-ups on the security front, the company generally isn't this inept at identifying and patching up system vulnerabilities, yet it has now disclosed one that's been an issue for the majority of its existence. No digital system is perfectly secure, nor will it ever be, yet the question that's now being raised unavoidably is how many more critical vulnerabilities are hiding in Google's code, waiting to be discovered, hopefully by the company itself?